Automated honeypot creation within a network

ABSTRACT

Systems and methods for managing Application Programming Interfaces (APIs) are disclosed. Systems may involve automatically generating a honeypot. For example, the system may include one or more memory units storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The operation may include sending the call to a node-imitating model associated with the API node and receiving, from the node-imitating model, synthetic node output data. The operations may include sending a notification based on the synthetic node output data to the client device.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 16/362,537, filed Mar. 22, 2019, which claims the benefit of U.S. Provisional Application No. 62/694,968, filed Jul. 6, 2018, the content of which is expressly incorporated herein by reference in its entirety.

This application relates to U.S. patent application Ser. No. 16/151,385 filed on Oct. 4, 2018, and titled “Data Model Generation Using Generative Adversarial Networks.” This application also relates to U.S. patent application Ser. No. 16/362,466, filed Mar. 22, 2019, and titled “Systems and Methods System to Identify Breaking Application Program Interface Changes.” In addition, this application relates to U.S. patent application Ser. No. 16/362,568, filed Mar. 22, 2019, and titled “Systems and Methods to Manage Application Program Interface Communications.” The disclosures of the aforementioned applications are expressly incorporated herein by reference in their entirety.

BACKGROUND

Systems that include Application Programming Interfaces (APIs) suffer from security vulnerabilities. Malicious actors seeking to exploit vulnerabilities may access valuable confidential data. For example, malicious actors may make unauthorized API calls (e.g., calls from an intruder, a hacker, a malicious actor internal or external to a network). In some cases, the unauthorized call may be associated with an authorized user of a computer network (e.g., a malicious actor may use an authorized user's account credentials; an employee may access a computer system for illegitimate purposes, etc.). The malicious actor may be a human user or a computer system (e.g., a bot, an application, program, or script).

Conventionally, when a malicious actor is detected, the malicious actor is often blocked or otherwise prevented access. For example, the user may be blocked based on an IP address. However, merely blocking the malicious actor does not address underlying data insecurity problems. Further, blocking may leave the system vulnerable to future attempts by the same malicious actor (e.g., using a different IP address). These conventional approaches may be unsatisfactory because the approaches miss opportunities to detect and identify the malicious actor. Conventional approaches miss opportunities to identify where or how stolen data may be used.

One conventional solution to the problem of malicious actors involves “honeypots.” A honeypot generally refers to a system that includes fake data that appears to be legitimate to a malicious actor. Honeypots may be designed to conduct research on a malicious actor or to waste resources of a malicious actor by providing high volume of fake data and fake network traffic.

However, conventional approaches to honeypots suffer from deficiencies. Many honeypot systems require up-front design of dedicated honeypot resources (e.g., APIs, servers, databases or the like) unique to a particular environment, which differ from legitimate system resources. For example, a honeypot may include a pathway to route suspected malicious actors through network resources to fake databases, servers, APIs, etc. The pathway and honeypot system components may require design and development independently from the other system components. Conventional honeypot systems require human supervision to design, develop, and implement. These approaches provide only limited means to develop honeypots and do not automatically scale or adjust to changing system conditions.

Therefore, in view of the shortcomings and problems with conventional approaches to detecting and monitoring malicious actors, there is a need for efficient, unconventional systems that automatically generate and implement honeypots in response to detected malicious actors.

SUMMARY

The disclosed embodiments provide unconventional methods and systems for managing APIs. The disclosed systems and methods may be implemented using a combination of conventional hardware and software as well as specialized hardware and software, such as a machine constructed and/or programmed specifically for performing functions associated with the disclosed method steps.

Consistent with the present embodiments, a system for managing APIs disclosed. The system may include one or more memory units storing instructions and one or more processors configured to execute the instructions to perform operations. The operations may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The operations may include sending, based on the classification, the call to a node-imitating model associated with the API node. The operations may include receiving, from the node-imitating model, synthetic node output data based on the call and sending a notification to the client device. The notification may be based on the synthetic node output data.

Consistent with the present embodiments, a method for managing APIs is disclosed. The method may include receiving, from a client device, a call to an API node and classifying the call as unauthorized. The method may include sending, based on the classification, the call to a node-imitating model associated with the API node. The method may include receiving, from the node-imitating model, synthetic node output data based on the call and sending a notification to the client device. The notification may be based on the synthetic node output data.

Consistent with other disclosed embodiments, non-transitory computer readable storage media may store program instructions, which are executed by at least one processor device and perform any of the methods described herein.

The foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate several embodiments and, together with the description, serve to explain the disclosed principles. In the drawings:

FIG. 1 is a diagram of an exemplary system for managing APIs, consistent with disclosed embodiments.

FIG. 2A is an illustration of an exemplary interface, consistent with disclosed embodiments.

FIG. 2B is an illustration of an exemplary interface, consistent with disclosed embodiments.

FIG. 3 depicts an exemplary API management system, consistent with disclosed embodiments.

FIG. 4 depicts an exemplary process for training and implementing a node-testing model, consistent with disclosed embodiments.

FIG. 5 depicts an exemplary system for training a translation model, consistent with the disclosed embodiments.

FIG. 6 depicts an exemplary process for managing APIs, consistent with disclosed embodiments.

FIG. 7 depicts an exemplary process for training a node-testing model, consistent with disclosed embodiments.

FIG. 8 depicts an exemplary process for testing a translation model, consistent with disclosed embodiments.

FIG. 9 depicts an exemplary process for implementing a translation model, consistent with disclosed embodiments.

FIG. 10 depicts an exemplary process for training and implementing a node-imitating model, consistent with disclosed embodiments.

FIG. 11, depicts an exemplary process for managing unauthorized API calls, consistent with disclosed embodiments.

FIG. 12 depicts an exemplary process for training a node-imitating model, consistent with disclosed embodiments.

FIG. 13 depicts an exemplary process for identifying suspicious data, consistent with disclosed embodiments.

DESCRIPTION OF THE EMBODIMENTS

Disclosed embodiments improve API management by identifying and improving API call errors, API routing, API versioning, and unauthorized API access. APIs of the embodiments may include remote APIs (web-based, cloud-based, or server-based APIs) and/or local APIs (APIs hosted on a local machine or local network). In the embodiments, APIs may include communication protocols and one or more software or programming libraries. The embodiments provide unconventional systems and methods for training models to test API nodes, translate API calls between API versions, and imitate API nodes. These systems and methods may be used to facilitate effective communication between APIs of different versions, that otherwise may be unable to effectively communicate. An API version may be a set of rules or parameters associated with a particular release date, which an API uses to operate. An API call may be configured for one version of an API, and a second version of the API may be unable to produce API output based on the API call or may produce an error. Further, the embodiments may provide unconventional systems and methods for profiling and clustering datasets, identifying dataset similarities, or identifying data lineage.

Systems and methods of disclosed embodiments may involve datasets comprising actual data reflecting real-world conditions, events, or measurement. However, in some embodiments, disclosed systems and methods may fully or partially involve synthetic data (e.g., anonymized actual data or fake data). Datasets of disclosed embodiments may have a respective data schema (i.e., structure), including a data type, key-value pair, label, metadata, field, relationship, view, index, package, procedure, function, trigger, sequence, synonym, link, directory, queue, or the like. Datasets of the embodiments may contain foreign keys, i.e. data elements that appear in multiple datasets and may be used to cross-reference data and determine relationships between datasets. Foreign keys may be unique (e.g., a personal identifier) or shared (e.g., a postal code). Datasets of the embodiments may be “clustered,” i.e., a group of datasets may share common features, such as overlapping data, shared statistical properties). Clustered datasets may share hierarchical relationships (i.e., data lineage).

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings and disclosed herein. Wherever convenient, the same reference numbers will be used throughout the drawings to refer to the same or like parts. The disclosed embodiments are described in sufficient detail to enable those skilled in the art to practice the disclosed embodiments. It is to be understood that other embodiments may be utilized and that changes may be made without departing from the scope of the disclosed embodiments. Thus, the materials, methods, and examples are illustrative only and are not intended to be necessarily limiting.

FIG. 1 is a diagram of exemplary system 100 to manage APIs, consistent with disclosed embodiments. As shown, system 100 may include API systems 102 a, 102 b, 102 n, an API management system 104, an interface 106, a model storage 108, a database 110, a client device 112, and an enforcement system 114. Components of system 100 may be connected to each other through a network 114.

In some embodiments, aspects of system 100 may be implemented on one or more cloud services designed to generate (“spin-up”) one or more ephemeral container instances in response to event triggers, assign one or more tasks to a container instance, and terminate (“spin-down”) a container instance upon completion of a task. By implementing methods using cloud services, disclosed systems efficiently provision resources based on demand and provide security advantages because the ephemeral container instances may be closed and destroyed upon completion of a task. That is, the container instances do not permit access from outside using terminals or remote shell tools like SSH, RTP, FTP, or CURL, for example. Further, terminating container instances may include destroying data, thereby protecting sensitive data. Destroying data can provide security advantages because it may involve permanently deleting data (e.g., overwriting data) and associated file pointers.

As will be appreciated by one skilled in the art, the components of system 100 can be arranged in various ways and implemented with any suitable combination of hardware, firmware, and/or software, as applicable. For example, as compared to the depiction in FIG. 1, system 100 may include a larger or smaller number of client devices, interfaces, model optimizers, model storages, and databases. In addition, system 100 may further include other components or devices not depicted that perform or assist in the performance of one or more processes, consistent with the disclosed embodiments. The exemplary components and arrangements shown in FIG. 1 are not intended to limit the disclosed embodiments.

API systems 102 a, 102 b, 102 n may include remote APIs (web-based, cloud-based, or server-based APIs) connected to system 100 via one or more networks (e.g., via network 116) and/or local APIs (APIs hosted on a local machine or local network of system 100). API systems may include a function, a microservice, subroutine, or another component of an API system. API systems 102 a, 102 b, 102 n may include communication protocols and one or more software or programming libraries. API systems 102 a, 102 b, 102 n are configured to receive input (API calls) and return API output in response to the calls. In some embodiments, one or more of API systems 102 a, 102 b, 102 n are stand-alone API platforms that may include a plurality of subroutines handled by a plurality of API nodes. In some embodiments, two or more API systems 102 a, 102 b, 102 n are components of the same API platform and operate as API nodes. In some embodiments, API systems 102 a, 102 b, 102 n are configured to send calls to other API systems or nodes of system 100 and receive API output in response (e.g., API system 102 a may send a call to API system 102 b and receive a response in return). Calls between API systems 102 a, 102 b, 102 n and calls within API systems 102 a, 102 b, 102 n may be routed by API management system 104.

API management system 104 may include one or more computing systems configured to manage training of models for system 100 and route API calls, consistent with disclosed embodiments. API management system 104 can be configured to receive API calls, models, and/or datasets from other components of system 100 or other components not shown (e.g., via interface 106). API management system 104 may be configured to train and implement models, including machine learning models. API management system 104 may be configured to generate models. In some embodiments, API management system 104 is configured to export models to other components of system 100 and/or to external systems or devices (e.g., client device 112). API management system 104 is disclosed in greater detail, below (in reference to FIG. 3).

Interface 106 can be configured to manage interactions between system 100 and other systems using network 116. In some aspects, interface 106 can be configured to publish data received from other components of system 100. This data can be published in a publication and subscription framework (e.g., using APACHE KAFKA), through a network socket, in response to queries from other systems, or using other known methods. The data can be synthetic data, as described herein. As an additional example, interface 106 can be configured to provide information received from model storage 108 regarding available datasets. In various aspects, interface 106 can be configured to provide data or instructions received from other systems to components of system 100. For example, interface 106 can be configured to receive instructions for generating data models (e.g., type of data model, data model parameters, training data indicators, training hyperparameters, or the like) from another system and provide this information to model optimizer 104. As an additional example, interface 106 can be configured to receive data including sensitive portions from another system (e.g. in a file, a message in a publication and subscription framework, a network socket, or the like) and provide that components of system 100.

System 100 may include model storage 108. In some embodiments, some or all components of model storage 108 may be hosted on one or more servers, one or more clusters of servers, or one or more cloud services. Model storage 108 may be connected to network 116 and may additionally be directly connected to API management system 104 (connection not shown). In some embodiments, model storage 108 is a component of API management system 104 or client device 112 (not shown).

Model storage 108 can include one or more databases configured to store data models (e.g., machine-learning models or statistical models) and descriptive information of the data models. Model storage 108 can be configured to provide information regarding available data models to a user or another system. The databases can include cloud-based databases, cloud-based buckets, or on-premises databases. The information can include model information, such as the type and/or purpose of the model and any measures of classification error. Model storage 108 can include one or more databases configured to store indexed and clustered models for use by system 100. For example, model storage 108 may store models associated with generalized representations of those models (e.g., neural network architectures stored in TENSORFLOW or other standardized formats). The databases can include cloud-based databases (e.g., AMAZON WEB SERVICES S3 buckets) or on-premises databases.

Database 110 can include one or more databases configured to store data for use by system 100. The databases can include cloud-based databases (e.g., AMAZON WEB SERVICES S3 buckets) or on-premises databases. Database 110 can include one or more databases configured to store indexed and clustered models for use by system 100, as described above.

Client device 112 may include one or more memory units and one or more processors configured to perform operations consistent with disclosed embodiments. In some embodiments, client device 112 may include hardware, software, and/or firmware modules. Client device 112 may be a terminal, a kiosk, a mobile device, a tablet, a personal computer, a server, a server cluster, a cloud service, a storage device, or a specialized device configured to perform methods according to disclosed embodiments, or the like.

Enforcement system 114 may include a server including one or more memory units and one or more processors configured to perform operations consistent with disclosed embodiments. In some embodiments, enforcement system 114 may be configured to track and/or report malicious network activity. For example, enforcement system 114 may report to or be a component of a government agency (e.g., a cybercrimes agency) and/or an organization that tracks malware, hackers, or the like. In some embodiments, enforcement system 114 may be a component of API management system 104 (not shown). In some embodiments, enforcement system 114 may be managed by a government agency, a nonprofit agency, a private organization, or another organization.

Network 116 may be a public network or private network and may include, for example, a wired or wireless network, including, without limitation, a Local Area Network, a Wide Area Network, a Metropolitan Area Network, an IEEE 1002.11 wireless network (e.g., “Wi-Fi”), a network of networks (e.g., the Internet), a land-line telephone network, or the like. Network 116 may be connected to other networks, not depicted, to connect the various system components to each other and/or to external systems or devices. In some embodiments, network 116 may be a secure network and require a password to access the network.

FIG. 2A is an illustration of exemplary interface 200, consistent with disclosed embodiments. In some embodiments, the interface is displayed at one of interface 106, API management system 104, client device 112, or other component of system 100.

As shown, interface 200 may include a graphical representation of a deep learning platform node-testing model 202. A node-testing model may be a model that simulates (imitates) a corresponding API node by producing model output that simulates API output in response to an API call, consistent with disclosed embodiments. In some embodiments, a node-testing model may be a machine learning model, such as a sequence-to-sequence model (seq2seq), which may be implementing using one or more of a recurrent neural network mode (RNN), a long-short term memory (LSTM) model, convolutional neural network (CNN), or another neural network model. In some embodiments, the node testing model may include a synthetic data generation model or may be configured to implement a synthetic data generation model. For example, a generative adversarial network (GAN), a variational auto encoder, or any of the other neural networks previously mentioned may be implemented to generate synthetic data. In some embodiments, a node testing model is trained using API output data and call data to simulate API output. Call data may include actual or simulate API calls. An API node may be an API system (e.g., one of API system 102 a, 102 b, 102 n) or a component of an API system (e.g., a function, a microservice, subroutine, or other component of an API system).

In some embodiments, deep learning platform node-testing model 202 may include a plurality of component node-testing models, including infrastructure node-testing model 204 a, data access node-testing model 204 b, model monitoring node-testing model 204 c, launch node-testing model 206 a infrastructure monitoring node-testing model 206 b, Secure data-access node-testing model 206 c, data movement node-testing model 206 d, model monitoring library node-testing model 206 e, stop node-testing model 208 a secure data-movement node-testing model 208 b, and/or model distribution node-testing model 208 c. As shown, interface 200 may depict deep learning platform node-testing model 202 and the component node-testing models as discs. Node-testing models of FIG. 2A are depicted for purposes of illustration only, and, as one of skill in the art will appreciate, interface 200 may include additional, fewer, or different node-testing models.

In some embodiments, deep learning platform node-testing model 202 and the component node-testing models are configured to receive calls and return model output, consistent with disclosed embodiments. As shown in FIG. 2A, the component node-testing models may be presented as an unstructured system, with no known relationships between them. That is, routing pathways that calls may take as they are passed from deep learning platform node-testing model 202 to component node-testing models may be unknown. In addition, although node-testing models depicted in FIG. 2A have labels that may describe a function that the corresponding API node is configured to perform (e.g., “secure data-movement”), user-interface 200 may display node-testing models as unlabeled node-testing models or as labels that do not describe a function (e.g., “model 1”, “model A”, etc.).

FIG. 2B is an illustration of exemplary interface 250, consistent with disclosed embodiments. In some embodiments, the interface is displayed at one of interface 106, API management system 104, client device 112, or other component of system 100. As shown, interface 200 may include a graphical representation of a deep learning platform node-testing model 202. Interface 250 may display a structured arrangement of component node-testing models as described above in relation to interface 200. In the example of interface 250, component node-testing models are arranged according to routing pathways and routing layers, with arrows representing routing pathways of calls and model output to downstream node-testing models. As one of skill in the art will appreciate, interface 200 may include additional, fewer, or different node-testing models, routing layers, and/or routing pathways.

As shown in FIG. 2B, a call to deep learning platform node-testing model 202 may produce one or more node-testing model outputs that are routed downstream to destination node-testing models in a routing layer 1 that includes the node-testing models including infrastructure node-testing model 204 a, data access node-testing model 204 b, and model monitoring node-testing model 204 c. Node-testing models of routing layer 1 may produce one or more model output and pass the model outputs to one or more node-testing models of a routing layer 2. For example, infrastructure node-testing model 204 a may produce model output that is passed to launch node-testing model 206 a and to infrastructure monitoring node-testing model 206 b. Similarly, node-testing models of routing layer 2 may produce one or more model outputs and pass the model outputs to one or more node-testing models of a routing layer 3. For example, infrastructure monitoring node-testing model 206 b may pass a model output to stop node-testing model 208 a.

Interface 250 may display routing pathways and routing layers as determined by, for example, a routing table and/or a routing model, consistent with disclosed embodiments. For example, a routing table may include a list of calls and corresponding destination API nodes (or API node-testing models). A routing model may be trained on call data and API node output data to predict API node destinations, consistent with disclosed embodiments.

Interface 250 may be configured to display a model-result category associated with the node-testing model output. A model-result category may include a confidence level that a model result matches an API result. A model-result category may indicate a success, a warning, or failure of the call. In exemplary interface 250, model-result categories include “high confidence of working,” “possible failure,” “high confidence of failure,” and “unknown.” For example, “high confidence of working” may indicate a high likelihood that the node testing-model produces a model output which does not contain an error or warning. “Possible failure” may indicate low likelihood in the model output or may indicate that the model output may contain an error or warning. “High confidence of failure” may indicate high likelihood that the model output contains an error or warning. “Unknown” may indicate that the model is not configured to produce model output for a given call, that the likelihood of any particular model result is below a predetermined threshold, and/or that the result has an invalid or unknown data schema.

As described, interface 250 displays routing pathways, model-result categories. Accordingly, interface 250 identifies break points, errors, and can be used for managing APIs.

FIG. 3 is an illustration of an exemplary API management system 104, consistent with disclosed embodiments. As shown, API management system 104 includes one or more processors 310, one or more I/O devices 320, and one or more memory units 330. In some embodiments, some or all components of API management system 104 may be hosted on a device, a computer, a server, a cluster of servers, or a cloud service. In some embodiments, API management system 104 is a scalable system configured to efficiently manage resources and enhance security by provisioning computing resources in response to triggering events and terminating resources after completing a task (e.g., a scalable cloud service that spins up and terminates container instances).

As depicted in FIG. 3, API management system 104 may include one or more processors 310, input/output units (I/O devices) 320, and one or more memory units 330. FIG. 3 is an exemplary configuration of API management system 104. As will be appreciated by one skilled in the art, the components and arrangement of components included in API management system 104 may vary. For example, as compared to the depiction in FIG. 3, API management system 104 may include a larger or smaller number of processors 310, I/O devices 320, or memory units 330. In addition, API management system 104 may further include other components or devices not depicted that perform or assist in the performance of one or more processes consistent with the disclosed embodiments. The components and arrangements shown in FIG. 3 are not intended to limit the disclosed embodiments, as the components used to implement the disclosed processes and features may vary.

Processor 310 may be known computing processors, including a microprocessor. Processor 310 may constitute a single-core or multiple-core processor that executes parallel processes simultaneously. For example, processor 310 may be a single-core processor configured with virtual processing technologies. In some embodiments, processor 310 may use logical processors to simultaneously execute and control multiple processes. Processor 310 may implement virtual machine technologies, or other known technologies to provide the ability to execute, control, run, manipulate, store, etc., multiple software processes, applications, programs, etc. In another embodiment, processor 310 may include a multiple-core processor arrangement (e.g., dual core, quad core, etc.) configured to provide parallel processing functionalities to allow execution of multiple processes simultaneously. One of ordinary skill in the art would understand that other types of processor arrangements could be implemented that provide for the capabilities disclosed herein. The disclosed embodiments are not limited to any type of processor(s) 310. Processor 310 may execute various instructions stored in memory 330 to perform various functions of the disclosed embodiments described in greater detail below. Processor 310 is configured to execute functions written in one or more known programming languages.

I/O devices 320 may include at least one of a display, an LED, a router, a touchscreen, a keyboard, a microphone, a speaker, a haptic device, a camera, a button, a dial, a switch, a knob, a transceiver, an input device, an output device, or another I/O device to perform methods of the disclosed embodiments. I/O devices 320 may be components of an interface of API management system 104 (e.g., an interface such as interface 106).

Referring again to FIG. 3, memory 330 may be a volatile or non-volatile, magnetic, semiconductor, optical, removable, non-removable, or other type of storage device or tangible (i.e., non-transitory) computer-readable medium, consistent with disclosed embodiments. As shown, memory 330 may include data 331, including of at least one of encrypted data or unencrypted data. Data 331 may include one or more model indexes, model parameters, model hyperparameters, model codes, dataset indexes, API routing tables, and/or datasets, consistent with disclosed embodiments.

Programs 335 may include one or more programs (e.g., modules, code, scripts, or functions) used to perform methods consistent with disclosed embodiments. Programs may include operating systems (not shown) that perform known operating system functions when executed by one or more processors. Disclosed embodiments may operate and function with computer systems running any type of operating system. Programs 335 may be written in one or more programming or scripting languages. One or more of such software sections or modules of memory 330 can be integrated into a computer system, non-transitory computer-readable media, or existing communications software. Programs 335 can also be implemented or replicated as firmware or circuit logic.

Programs 335 may include a model-training module 336, a node-testing module 337, a translation module 338, a routing module 339, a dataset clustering module 340, honeypot module 341, and/or other modules not depicted to perform methods of the disclosed embodiments. In some embodiments, modules of programs 335 may be configured to generate (“spin up”) one or more ephemeral container instances to perform a task and/or to assign a task to a running (warm) container instance, consistent with disclosed embodiments. Modules of programs 335 may be configured to receive, retrieve, and/or generate models, consistent with disclosed embodiments. Modules of programs 335 may be configured to receive, retrieve, and/or generate datasets (e.g., to generate synthetic datasets, data samples, or other datasets), consistent with disclosed embodiments. Modules of programs 335 may be configured to perform operations in coordination with one another. For example, routing module 339 may send a model training request to model-training module 336 and receive a trained model in return, consistent with disclosed embodiments.

Model-training module 336 may be configured to train one or more models and/or perform hyperparameter tuning of one or more models, including machine learning models. For example, model-training module 336 can be configured to receive input of one or more thresholds, one or more loss functions, and/or one or more limits on a number of interactions and apply the input for optimizing a received model and/or corresponding generalized representation such as a neural network. In some embodiments, training of a model terminates when a training criterion is satisfied. In some embodiments, model-training module 336 is configured to adjust model parameters during training. The model parameters may include weights, coefficients, offsets, or the like. Training can be supervised or unsupervised.

Model-training module 336 can be configured to select or generate model parameters (e.g., number of layers for a neural network, kernel function for a kernel density estimator, or the like), update training hyperparameters, and evaluate model characteristics. For example, model characteristics may include a model type (e.g., an RNN, a convolutional neural network (CNN), a random forest, or another model type), a model parameter, a model hyperparameter (including training a hyperparameter and/or an architectural hyperparameter), a desired outcome, belongingness to a model cluster, and/or belonginess of a model training dataset to a dataset cluster, the similarity of synthetic data generated by a model to actual data, or other characteristics.

In some embodiments, model-training module 336 is configured to perform a search of a hyperparameter space and select new hyperparameters. This search may or may not depend on the values of a performance metric obtained for other trained models. In some aspects, model-training module 336 can be configured to perform a grid search or a random search. The hyperparameters can include training hyperparameters, which can affect how training of the model occurs, or architectural hyperparameters, which can affect the structure of the model.

Consistent with disclosed embodiments, hyperparameters can include training hyperparameters such as learning rate, batch size, number of training batches, number of epochs, chunk size, time window, input noise dimension, or the like. Hyperparameters can include architectural parameters such as number of layers in a neural network, the choice of activation function for a neural network node, the layers in a CNN or the like. For example, when the stored model comprises a generative adversarial network (GAN), training hyperparameters for the model can include a weight for a loss function penalty term that penalizes the generation of training data according to a similarity metric. As a further example, when the stored model comprises a neural network, the training hyperparameters can include a learning rate for the neural network. As an additional example, when the model is a CNN, architectural hyperparameters can include the number and type of layers in the convolutional neural network.

In some embodiments, model-training module 336 includes programs to apply one or more templates to a data model (e.g., a model retrieved from model storage 108) and apply the templates to generate a generalized representation of the retrieved model (e.g., a neural network). Model-training module 336 may include programs to provide trained generalized representations to model storage 108 for storing in association with corresponding models.

Node-testing module 337 may be configured to train models to test and/or imitate API nodes, consistent with disclosed embodiments. Node-testing module 337 may include or be configured to train and implement models in coordination with or independent from other modules of programs 335, consistent with disclosed embodiments. For example, node-testing module 337 may include or be configured to implement one or more node-testing models and/or one or more node-imitating models, consistent with disclosed embodiments. Node-testing models and/or node-imitating models may include machine learning models. In some embodiments, the machine learning models may include an RNN, a long-short term memory (LSTM) model, convolutional neural network (CNN), a seq2seq model, generative adversarial network (GAN), an autoencoder, a variational autoencoder, or another neural network model. The machine learning models may be trained using API call data (e.g., API calls, API outputs, and/or API identifiers) to receive API calls and generate model outputs that include model results match API call results. API identifiers may include a date or version number associated with an API, a source IP address, a destination IP address, and/or a schema to which an API call conforms. The model result may include a message (e.g., an error message or a warning message). In some embodiments, the models may be trained to generate model outputs that include one or more model-result categories. A model-result category may include a confidence level that a model result matches an API result. A model-result category may indicate a success, a warning, or failure of the call. In some embodiments, the machine learning models (e.g., node-testing models or node-imitating models) may be configured to retrieve API call data from a storage (e.g., data 331, database 110, or other data storage) for model training, API testing, or call processing. In some embodiments, the machine learning models may be configured to receive API call data as API nodes calls are received and processed by, for example, one or more API systems (e.g., API systems 102 a, 102 b, 102 c). Node-testing module 337 and models of node-testing module 337 may be configured to receive and transmit data, including API call data, from and to other components of system 100 or from computing components outside system 100 (e.g., via interface 106).

Translation module 338 may be configured to translate a call (an input call) to a different call (i.e., a translated call). The input call may be associated with an API and/or a particular version of an API. Translation module 338 may be configured to translate any number of kinds of inputs. In some embodiments, the inputs to translation model module 338 may be model outputs or API outputs, such as an API response produced by an API. The translated inputs may therefore also be translated outputs. These translated outputs may also be associated with an API and/or a particular version of an API. In some embodiments, translation model module 338 may perform multiple translations on the same input.

In some embodiments, translation module 338 may be configured to receive an input from another module, such as routing module 339, another part of API Management System 104, or another device connected to Management System 104. This input may be an API call, API dataset, API response, or other code. Translation module 338 may determine certain characteristics about the input, such as an API version it corresponds to, a schema it follows, or a source IP address or destination IP address associated with it.

Translation module 338 may be configured to translate an input based on its characteristics. For example, if translation module 338 determines that the input is associated with a first version of an API, it may translate the input to a different input based on that version of an API. In some embodiments, translation module 338 may be configured to translate an input based on a first API node to which the input is being sent, and/or a second API node from which the input is sent. This translation may be based on characteristics of the first and/or second API node, such as a version of API running on the first and/or second API node, an identifier associated with the first and/or second API node, or attributes of the surroundings of the first and/or second API node. For example, if an input is being sent to a first node running a first version of an API, such as a newer or older version of an API relative to the version associated with the input, translation module 338 may translate the input into an input associated or compliant with the version of an API running on the first node. In this example, the first node may be called a destination API node, as it is the destination of a translated input or output.

In some embodiments, translation module 338 may be configured to translate an input, such as an API call, to a different input, without the use of a library or stored versions of an API. For example, translation module 338 may be configured by another module, such as model-training module 336, which may be a machine-learning model and/or a neural network. Machine-learning models of translation module 338 may include an RNN model. Translation module 338 may operate according to rules, which may be pre-programmed rules, rules learned through machine-learning, or a combination of both. In some embodiments, translation module 338 may be configured to generate, train, and/or implement translation models, which may be used to translate inputs.

Translation module 338 may also be configured to send a translated input to another module, such as routing module 339, another part of API Management System 104, or another device connected to Management System 104. In some embodiments, translation module 338 may send a translated input to another module for further processing. For example, translation module 338 may send a translated input to another translation module for further translation. In some embodiments, translation module 338 may send a translated input to a module or device that processes the input to produce a result. For example, translation module 338 may send an API call to an API that processes the API call to produce an API result responsive to the call.

Translation module 338 may also be configured to generate, train, and/or implement versioning models, which may be configured to determine an API associated with an input (e.g., an API call), consistent with disclosed embodiments. In some embodiments, the versioning model may be configured to associate an API version with a corresponding model (e.g., a translation model, a node-testing model, and/or a node-imitating model). In some embodiments, versioning models may be rule-based. For example, a versioning model may be configured to apply a table (e.g., lookup table) to determine an API version associated based on information associated with an API call (e.g., metadata, a header, an API identifier). In some embodiments, versioning models may be machine learning models trained to determine an API version using API call data, consistent with disclosed embodiments. For example, the versioning model may be trained to identify an API version based on data contained within or associated with an API call (e.g., based on API call syntax, commands (e.g., function calls), a data schema of a dataset, or other data).

Routing module 339 may be configured to identify routing pathways and/or to route calls between API nodes, consistent with disclosed embodiments. In some embodiments, routing module 339 is configured to receive a routing table from another component of system 100 or a computing component outside system 100 (e.g., via interface 106). In some embodiments, routing module 339 is configured to generate, train, and/or implement a versioning model, as previously described. In some embodiments, routing module 339 may be configured to retrieve a routing table from a storage (e.g., data 331, database 110, or other data storage). A routing table may include information specifying where to route an API call and/or where to route an API output. The routing table may include identifiers specifying API nodes. For example, the routing table may include information specifying that an API call (or API output) containing a first identifier should be routed to a first API node. The identifier may be an API address (IP address, domain name, or other address), an API name, an API version, an API function, or other identifier.

In some embodiments, routing module 339 may be configured to generate a routing table, consistent with disclosed embodiments. For example, routing module 339 may generate a routing table by extracting information in an API call specifying a routing pathway and generating or updating a routing table based on the extracted information. In some embodiments, routing module 339 may generate a routing table by creating a graph based on routing logs between nodes. In some embodiments, routing module 339 may be configured to train and implement a routing model. The routing model may include one or more machine-learning models. In some embodiments, the machine-learning models may include an RNN, a long-short term memory (LSTM) model, or another neural network model. The machine-learning models may be trained using API call data (e.g., API calls and/or API outputs) to predict a routing pathway based on the API call data. In some embodiments, the machine-learning models may be configured to retrieve API call data from a storage (e.g., data 331, database 110, or other data storage) for model training, API testing, or call processing. In some embodiments, the machine-learning models may be configured to receive API call data in real-time as API nodes calls are received and processed by, for example, one or more API systems (e.g., API systems 102 a, 102 b, 102 c). Routing module 339 may be configured to receive and transmit data, including API call data, from and to other components of system 100 or from components outside system 100 (e.g., via interface 106).

Dataset-clustering module 340 may be configured to group, or “cluster,” datasets, consistent with disclosed embodiments. Dataset-clustering module 340 may include or be configured to implement one or more data-profiling models. A data-profiling model may include machine-learning models and statistical models to determine the data schema and/or a statistical profile of a dataset (i.e., to profile a dataset), consistent with disclosed embodiments. The data-profiling model may include an RNN model, a CNN model, or other machine-learning model. The data-profiling model may include algorithms to determine a data type, key-value pairs, row-column data structure, statistical distributions of information such as keys or values, or other property of a data schema. The data-profiling model may be configured to implement univariate and multivariate statistical methods. The data-profiling model may include a regression model, a Bayesian model, a statistical model, a linear discriminant analysis model, or other classification model configured to determine one or more descriptive metrics of a dataset. For example, the data-profiling model may include algorithms to determine an average, a mean, a standard deviation, a quantile, a quartile, a probability distribution function, a range, a moment, a variance, a covariance, a covariance matrix, a dimension and/or dimensional relationship (e.g., as produced by dimensional analysis such as length, time, mass, etc.) or any other descriptive metric of a dataset.

In some embodiments, the data-profiling models may be configured to return a statistical profile of a dataset. The statistical profile may include a plurality of descriptive metrics. For example, the statistical profile may include an average, a mean, a standard deviation, a range, a moment, a variance, a covariance, a covariance matrix or any other statistical metric of the selected dataset. In some embodiments, the statistical metric may be a similarity metric representing a measure of similarity between data in a dataset. The similarity metric may be based on a covariance matrix, a variance, a frequency of overlapping values, or other measure of statistical similarity.

Dataset-clustering module 340 may be configured to generate or implement a data-mapping model. A data-mapping model may include machine-learning models to generate edges between nodes, the nodes being datasets (i.e., cluster datasets, data mapping or data crawling). The data-mapping model may include at least one of an RNN model, a CNN model, a random forest model, a bag-of-words model, a multilayer perceptron model, a gated recurrent unit model, a seq2seq model, or other machine-learning model. An edge may comprise an indicator of a hierarchical relationship (e.g., a data lineage, parent-child relationship, derived data, an ambiguous hierarchy), and may include an overlap score indicating the amount of overlap between datasets.

In some embodiments, dataset-clustering module 340 may be configured to generate or retrieve a data-mapping model from a data storage (e.g., model storage 108). Dataset-clustering module 340 may identify and retrieve a data-mapping model based on a statistical profile, a data schema, a model index, and/or a model search strategy. Consistent with disclosed embodiments, the search strategy may include a random search or a grid search. In some embodiments, dataset-clustering module 340 may be configured to receive a plurality of datasets and retrieve a data-mapping model previously used to generate edge data for one of the received datasets. Dataset-clustering module 340 may be configured to retrieve a data-mapping module previously used for a dataset that share features of a data schema of one of the received datasets. In some aspects, dataset-clustering module 340 may be capable of retrieving a data-mapping model used for a dataset having a statistical similarity metric with one of the received datasets that meets a threshold criterion.

In some embodiments, the data-mapping model includes machine-learning models or other models to identify foreign keys and maintain an index of foreign keys (e.g., a data crawler model). The foreign keys may be unique or shared, consistent with disclosed embodiments. The foreign keys may be stored in, for example, foreign database 110 and/or data 331. The data-mapping model may be configured to predict foreign keys by identifying candidate foreign keys and determining a foreign key score based on at least one of an index of foreign keys or a search of a dataset. For example, the data-mapping model may be configured to determine a foreign key score based on a frequency of occurrence of a candidate foreign key in one or more datasets or based on a label associated with the candidate foreign key. As another example, the data-mapping model may be capable of assigning a foreign key score to a candidate foreign key based on its occurrence in a data column that includes known foreign keys.

The data-mapping model of dataset-clustering module 340 may be configured to connect datasets (i.e., generate edges between datasets) based on at least one of a foreign key, a data schema, or a similarity metric. Edge data may include information indicating a similarity between datasets (e.g., a measure of data overlap, correlation, covariance, or other measure of statistical similarity) or a hierarchical relationship (e.g., derived data, parent-child relationships). The data-mapping model may be configured to receive a plurality of datasets and generate edges based solely on the received datasets. In some embodiments, the data-mapping model may be configured to receive a plurality of datasets and generate edges based on the received datasets and on stored, clustered datasets.

Clustering module 340 may include or be configured to implement a data-classification model. The data-classification model may include machine-learning models to classify datasets based on the data schema, statistical profile, foreign keys, and/or edges. The data-classification model may be configured to segment datasets, consistent with disclosed embodiments. Segmenting may include classifying some or all data within a dataset, marking or labeling data (e.g., as duplicate), cleaning a dataset, formatting a dataset, or eliminating some or all data within a dataset based on classification. The models may be configured to classify data elements as actual data, synthetic data, relevant data for an analysis goal or topic, data derived from another dataset, or any other data category. The data-classification model may include a CNN, a random forest model, an RNN model, a support vector machine model, or another machine-learning model.

Honeypot module 341 may be configured to implement a honeypot computer security mechanism. In some embodiments, honeypot module 341 may be configured to automatically generate and implement honeypots in response to detected malicious actors. That is, honeypot module 341 may be configured to detect an unauthorized API call and provide, in response, synthetic data that appears to be real API output. After an unauthorized call is detected, API management system 104 may continue to route legitimate or authorized calls to API nodes, or to generate new API nodes to manage legitimate calls (e.g., a secondary live system). Honeypot module 341 may include or be configured to train and implement models in coordination with or independent from other modules of programs 335, consistent with disclosed embodiments.

In some embodiments, honeypot module 341 is configured to receive, retrieve, and/or generate a node-imitating model, consistent with disclosed embodiments. Model output of the node-imitating model may appear to be real API output to an unauthorized user (i.e., the model may be a component of a honeypot computer-security system mechanism). Generating and/or training a node-imitating model may be based on data received or retrieved from a model storage, including one or more models, model characteristics, and/or training criteria. A node-imitating model may be configured to retrieve and/or receive data (e.g., from database 110), including one or more datasets. In some embodiments, training a node-imitating model may include receiving a node-testing model from a data storage (e.g., model storage 108) and training the node-testing model.

Honeypot module 341 may train a node-imitating model to generate model output based on API output. In some embodiments, the API management system 104 trains node-imitating model 1022 until one or more training criteria are satisfied, consistent with disclosed embodiments.

In some embodiments, training a node-imitating model to generate model output includes training the model to generate synthetic data. For example, a node-imitating model may be trained to generate synthetic data that has a data profile that, when compared to API output data, satisfies a similarity metric, consistent with disclosed embodiments. In some embodiments, generating synthetic data includes adjusting API output by adding noise. In some embodiments, generating synthetic data includes altering a data schema of API output data (e.g., switching data labels or otherwise relabeling data). In some embodiments, generating synthetic data includes replacing data in API output with synthetic data. For example, a node-imitating model may be trained to identify sensitive information (e.g., account numbers, social security numbers, names, addresses, API keys, network or IP addresses, or the like) and replace sensitive information with non-sensitive information having similar properties (e.g., identifying a 16-digit account number and replacing it with a fake 16-digit account number).

In some embodiments, model output of a node-imitating model may include a data marker. The data marker may include one or more data elements (e.g. a string or a number). A data marker may be randomly generated. A data marker may include a Universally Unique Identifier (UUID). In some embodiments, honeypot module 341 is configured to store a data marker. In some embodiments, the data marker is associated with an API call, a location, an API node, a node-testing model (e.g., data marker may be stored in a relational database). In some embodiments, honeypot module 341 is configured to receive a dataset and determine whether the dataset includes a data marker. Determine whether the dataset includes a data marker may include comparing the dataset to a stored data marker.

In some embodiments, API management system 104 may train a node-imitating model to generate model output having a predetermined data profile. For example, the predetermined data profile may be based on one or more data markers (e.g., the node-imitating model may generate data with two data markers having a predetermined covariance between data columns). The predetermined data profile may be unique to the model output, such that the appearance of the predetermined data profile confirms that the data to which the profile is attached is the model output. In some embodiments, the predetermined data profile may use token keys to determine whether received data matches a previous model output. API management system 104 may retain token keys to confirm an instance of model output.

In some embodiments, honeypot module 341 is configured to determine a suspiciousness score of the data. In some embodiments, the suspiciousness score is a likelihood that data derives from API calls to an API node (e.g. API systems 102 a, 102 b, 102 n or their components) and/or API management system 104. In some embodiments, the suspiciousness score may be a number (e.g., 0-100) or a category (e.g., highly, medium, low). In some embodiments, the suspiciousness score is based on detecting a data marker. For example, the suspiciousness score may be based on a frequency of a data marker in a dataset.

In some embodiments, honeypot module 341 is configured to determine a suspiciousness score based on a data profile. For example, honeypot module 341 may determine a similarity metric of a data profile and a data profile of a stored dataset (or a stored data profile). The suspiciousness score may be based on the similarity metric (e.g., if the similarity metric indicates high similarity, the suspiciousness score may be high).

In some embodiments, honeypot module 341 may be configured to identify unauthorized API calls (e.g., calls from an intruder, a hacker, a malicious actor internal or external to a network). In some embodiments, the unauthorized call may be associated with an authorized user of a computer network (e.g., a malicious actor may use an authorized user's account credentials; an employee may access a computer system for illegitimate purposes, etc.). Identifying unauthorized API calls may include classifying API calls based on at least one of a user account, a log, a failed authentication attempt, a packet sniffing event, a rate of pinging, an Internet Protocol (IP) address, or a media access control (MAC) address.

Honeypot module 341 may include or be configured to train and implement a call-classification model to classify a call as an unauthorized call, consistent with disclosed embodiments. The call-classification model may include a machine-learning model, including a decision tree, an RNN, a CNN, a multilayer perceptron (MLP), or another machine-learning model. The call-classification model may include rule-based models (e.g., a model to detect calls from an unknown location).

For example, honeypot module 341 may be configured to train a call-classification model to detect a suspicious call or suspicious call pattern that differs from normal API call traffic. Honeypot module 341 may be configured to detect a suspicious call. In some embodiments, honeypot module 341 may be configured to identify a location associated with the suspicious call (e.g., an account, an Internet Protocol (IP) address, a media access control (MAC) address, or a uniform resource locator (URL)). In some embodiments, honeypot module 341 may be configured to route a suspicious call or calls from a location associated with the suspicious call to a node-imitating model and/or block calls from a location associated with the suspicious call.

Honeypot module 341 may be configured to determine a call relates to a malicious campaign, consistent with disclosed embodiments. For example, the call may originate from or be associated with a location of a suspicious call or an unauthorized call. The call may have call characteristics that are similar to a suspicious call or an unauthorized call. Call characteristics may include frequency of repeating a call, call content (e.g., requests or commands), or statistical similarities between the call and other call data. In some embodiments, API management system 104 uses a call-classification model to determine a call relates to a malicious campaign.

In some embodiments, honeypot module 341 may be configured to provide information associated with a suspicious call to a client device (e.g., client device 112) and/or an interface (e.g., interface 106). Honeypot module 341 may be configured to receive instructions in response to providing the information. For example, honeypot module 341 may be configured to receive instructions to block a location associated with the suspicious call, monitor activity, and/or route calls to node-imitating models.

Honeypot module 341 may be configured to block a location. Blocking a location may include rejecting calls associated with the location. Blocking a location may include maintaining a blacklist (a list of blocked locations).

Honeypot module 341 may be configured to trace API calls back to the source. This may involve tracking inbound IP calls, outbound IP calls, inbound transmission control protocol (TCP) calls, outbound TCP calls, inbound user datagram protocol (UDP) calls, and/or outbound UDP calls.

FIG. 4 depicts an exemplary process for training and implementing a node-testing model, consistent with disclosed embodiments. In some embodiments, API management system 104 performs process 400. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, or other module of programs 335 may perform operations of process 400, consistent with disclosed embodiments. It should be noted that other components of system 100, including, for example, client device 112 or one or more API systems (e.g., API system 102 a, 102 b, 102 c) may perform one or more steps of process 400.

Consistent with disclosed embodiments, steps of process 400 may be performed on one or more cloud services using one or more ephemeral container instances. For example, at any of the steps of process 400, API management system 104 may generate (spin up) an ephemeral container instance to execute a task, assign a task to an already-running ephemeral container instance (warm container instance), or terminate a container instance upon completion of a task. As one of skill in the art will appreciate, steps of process 400 may be performed as part of an application interface (API) call.

At step 410, API node 102 receives calls (inputs) and produces API outputs based on the calls, consistent with disclosed embodiments. API node 102 may be one of API systems 102 a, 102 b, 102 n, another API system, an API function, an API subroutine, or an API node. API node 102 may comprise sub-components (e.g., other API nodes, functions, routines, subroutines, or the like). At step 410, a call may be received from any component of system 100 or a computing component outside system 100 (e.g., via interface 106). For example, the call may be received from another API node, a client device, a routing module, an API management system, and/or an interface. The call may include an API identifier. The API node processes calls by performing one or more operations in response to the calls. API output may include routing information (e.g., one or more API identifiers specifying a destination for the API output, or an instruction to return an output to a device). API output may include an error message and/or an error code.

At step 420, API management system 104 trains a node-testing model 422, consistent with disclosed embodiments. In some embodiments, API management system 104 may generate node-testing model 422 at step 420. As shown, node-testing model 422 may receive API input (an API call) and API output. API management system 104 may train node-testing model to generate model output that matches the API output. In some embodiments, API management system 104 trains node-testing model 422 until one or more training criteria are satisfied, consistent with disclosed embodiments. For example, a training criterion may be a percent match between model output and API output for a number of API calls.

In some embodiments, model output includes a model result. The model result may include modeled API output (i.e., a possible result of an API call). Modeled API output may include data (e.g., a dataset, synthetic data), descriptions of data (e.g., a data profile, a data schema, a statistical profile, and/or statistical metrics). Modeled API output may include code to use in a call to an API and/or an identifier of an API. For example, modeled API output may include a call for a downstream node associated with the identifier. In some embodiments, the model result may include an error message, a warning message, and/or error code. The model result may include a statement indicating the model result is an unknown result (i.e., the model has not been trained to produce an output based on the call).

In some embodiments, the model output includes a model-result category. The model-result category may indicate a confidence level associated with the model result (e.g., a likelihood that the model result matches API output). The confidence level may include one or more probability vectors associated with particular model outputs based on the model input. The model-result category may indicate whether the model result indicates a success (e.g., the model result includes data and no errors), a possible warning (i.e., the model result includes a warning message), or failure (i.e., the model result includes an error message). As one of skill in the art will appreciate, the model-result category may include any kind of category associated with the call or the model result.

At step 430, API management system 104 implements node-testing model 422. For example, API management system may route real-time API calls to node-testing model 422 in real-time to process API calls and/or may route synthetic or stored API calls to node-testing model 422 (e.g., as depicted in exemplary interface 250 of FIG. 2B). In some embodiments, model output includes a model result and a model-result category.

FIG. 5 depicts exemplary system 500 for training a translation model, consistent with the disclosed embodiments. As shown in FIG. 5, system 500 includes a translation model 502, a node-testing model A 501 a, and a node-testing model B 501 b. Consistent with the disclosed embodiments, translation model 502 may be a translation model implemented by translation module 338. In some embodiments, node-testing model A 501 a and/or node-testing model B 501 b may be node-testing models 322, consistent with disclosed embodiments. Node-testing model A 501 a and node-testing model B 501 b may be configured to generate model output that simulates the API output of API nodes including a specific version of an API. These nodes may be remote from the translation model training system 500. Therefore, by using node-testing models, system 500 improves efficiency because system 500 does not need to maintain or query the API nodes which the models simulate.

Translation model 502 may be trained to generate translated inputs from inputs, consistent with disclosed embodiments. Training translation model 522 may include passing inputs to node-testing model A 501 a to produce model outputs A. Training may include passing translated inputs to node-testing model B 501 b to produce model output B. Training may terminate when a comparison of model output B to model output A satisfies a training criterion. As an example, the criterion may include whether model output B matches model output A, or if model output B matches model output A for a threshold number of matches.

For example, during model training translation model 502 may receive an input, which may include an API call, a dataset, an API response, a model output from another node-testing model, or other input data, such as metadata, identifiers, instructions, a source IP address, a destination IP address, or other additional data. Based on the input it receives, translation model 502 determines an appropriate translated input, which may be sent to node-testing model B 501 b. Node-testing model B 501 b may then determine a new model output B, which may be sent to translation model 502.

Translation model 502 may compare the new model output B to an expected model output. The expected model output may include API response, API call, metadata, or anything expected as the output of a system. In some embodiments, the expected model output may be associated with an output expected from a particular API. If translation model 502 determines that that the new model output B does not match the expected model output or is not within a predetermined range of tolerance associated with the expected model output, then translation model 502 may determine that a new translated input should be produced, one that differs from the previously generated translated input. Translation model 502 may then determine a new translated input based on the new model output B and/or the input and model output A, as well as any previously translated inputs or outputs. If translation model 502 determines that the new model output B matches the expected model output, or is within a predetermined range of tolerance associated with the expected model output, then translation model 502 may determine no adjustments are needed, and it may continue to generate its most previous translated input.

In some embodiments, translation model 502 may repeatedly determine successive translated inputs. These repeated translated inputs may be determined based on any inputs and/or outputs received by translation model 502. These inputs and outputs may be associated with current or previous determinations of the translated input by translation model 502. For example, translation model 502 may determine a new translated input based on a previously received input, a previously received model output A, and a newly received model output B, which may have been recently determined by the most previous translated input.

FIG. 6 depicts exemplary process 600 for managing APIs, consistent with disclosed embodiments. In some embodiments, API management system 104 may perform process 600. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 600, consistent with disclosed embodiments. It should be noted that other components of system 100 may perform one or more steps of process 600, including, for example, API systems 102 a, 102 b, 102 n and/or client device 112. Process 600 may be performed based on user inputs or, in some embodiments, process 600 is executed automatically by a program, script, or routine. For example, process 600 may be performed according to a schedule or in response to a triggering event (e.g., following receipt of data at step 602).

At step 602, API management system 104 receives a request, consistent with disclosed embodiments. API management system 104 may receive the request from another component of system 100 or a computing component outside system 100 (e.g., via interface 106). The request may be a request to test one or more API nodes, consistent with disclosed embodiments. The request may include one or more API calls. The request may include instructions to generate one or more synthetic API calls. The instructions may specify characteristics of the API calls. For example, the instructions may specify a range of API call parameters and/or a list of API functions. The request may include one or more API identifiers, routing tables, routing models, and/or information identifying a routing model. The request may include a request to provide model output via a display (e.g., as depicted in interface 250 of FIG. 2B) and/or to store model output.

At step 604, API management system 104 generates one or more API calls, consistent with disclosed embodiments. Generating an API call may include generating the API call based on instructions received at step 602. The API call may include an API identifier.

At step 606, API management system 104 identifies a testing model and/or a translation model, consistent with disclosed embodiments. Identifying a node-testing model may be based on an API identifier. Identifying a node-testing model may be based on a received instruction (e.g., an instruction received at step 602).

At step 608, API management system 104 translates the call, consistent with disclosed embodiments. Translating the call may include identifying an API version associated with the received call and implementing a translation model to generate a translated call associated with another API version. In some embodiments, translating the call includes performing steps of process 800, described in detail below.

At step 610, API management system 104 transmits the call to a node-testing model, consistent with disclosed embodiments. In some embodiments, transmitting the call at step 610 includes transmitting the generated call of step 604 and/or the translated call of step 608.

At step 612, API management system 104 receives node-testing model output, consistent with disclosed embodiments. The node-testing model output may include a model result and/or a model-result category. Following step 612, API management system 104 may perform any of steps 614-620, alone or in combination.

At step 614, API management system 104 provides a notification, consistent with disclosed embodiments. The notification may include a model output. The notification may include a model result and/or a model-result category. In some embodiments, providing the notification includes displaying the notification at an interface (e.g., interface 106). In some embodiments, providing the notification includes transmitting the notification to a client device (e.g., client device 112). In some embodiments, providing the notification includes sending the notification to an enforcement system (e.g., enforcement system 114).

At step 616, API management system 104 updates the call, consistent with disclosed embodiments. Step 616 may include implementing a translation model. Updating the call may include characteristics of the API calls. For example, updating the call may include changing an API call parameter and/or an API function.

At step 618, API management system 104 updates the translation model, consistent with disclosed embodiments. In some embodiments, updating the translation model at step 618 is based on the model-result category. For example, the API management system 104 may transmit a translated call to the node-testing model at step 610 and receive a model-result category at step 612 that indicates that the model result is a failure or an unknown result, trigging modeling training of the translation model.

At step 620, API management system 104 updates the node-testing model, consistent with disclosed embodiments. In some embodiments, updating the node-testing model at step 620 is based on the model-result category. For example, the model-result category of step 612 may indicate that the model result is a failure or an unknown result, trigging model training of the node-testing model.

It should be noted that process 600 may be performed iteratively. For example, following one of steps 614, 616, 618 and/or 620, API management system 104 may again perform step 604 to generate another call based on node-testing model output of step 612. As an illustrative example, API management system 104 may perform process 600 for one or more arrows (API calls) depicted in exemplary interface 250 (FIG. 2B).

FIG. 7 depicts exemplary process 700 for training a node-testing model, consistent with disclosed embodiments. In some embodiments, API management system 104 may perform process 700. In some embodiments, model-training module 336 performs process 700. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 700, consistent with disclosed embodiments. It should be noted that other components of system 100 may perform one or more steps of process 700, including, for example, API systems 102 a, 102 b, 102 n and/or client device 112. Process 700 may be performed based on user inputs or, in some embodiments, process 700 is executed automatically by a program, script, or routine. For example, process 700 may be performed according to a schedule or in response to a triggering event. Process 700 may be performed by an ephemeral container instance, consistent with disclosed embodiments.

At step 702, model-training module 336 receives API call data, consistent with disclosed embodiments. API call data may include API call data API calls, API outputs, and/or API identifiers. Step 702 may include receiving model characteristics and/or training criteria, consistent with disclosed embodiments. For example, received model characteristics may include a model type, a model parameter, a model hyperparameter, a desired outcome, belongingness to a model cluster, and/or belonginess of a model training dataset to a dataset cluster, the similarity of synthetic data generated by a model to actual data, or other characteristics.

At step 704, model-training module 336 generates a node-testing model, consistent with disclosed embodiments. The node-testing model may include a machine learning model, consistent with disclosed embodiments. For example, the node-testing model may include one of an RNN, an LSTM model, or another neural network model. Generating the node-testing model at step 704 may include generating a plurality of model parameters (seeds) to use as starting points for model training. Generating the node-testing model may include retrieving the node-testing model from a data storage (e.g., data 331 or model storage 110). Generating the model may be based on model characteristics received at step 702.

Generating the node-testing model at step 704 may be based on the API call data. For example, the API call data may include an API identifier, and generating the node-testing model may include retrieving a node-testing model previously trained to produce model output that matched API output of an API associated with the identifier.

At step 706, model-training module 336 trains the node-testing model, consistent with disclosed embodiments. Training the model at step 706 may include training the node-testing model until one or more training criteria are satisfied, consistent with disclosed embodiments. For example, a training criterion may be a percent match between node-testing model output and API output for a number of API calls. Training may be based on training criteria received at step 702.

At step 708, model-training module 336 provides the node-testing model, consistent with disclosed embodiments. Providing the model may include transmitting the model to a module of API management system 104; storing the model in a data storage (e.g., data 331, database 110, or other data storage); displaying a graphical representation of the model (e.g., via interface 106); and/or transmitting the model to another component of system 100 (e.g. API system 102 a, 102 b, 102 n and/or client device 112) and/or to a computing component outside system 100 (e.g., via interface 106).

FIG. 8 depicts exemplary process 800 for testing a translation model, consistent with disclosed embodiments. In some embodiments, API management system 104 performs process 800. One or more of model-training module 336, node-testing module 337, translation module 338, routing model module 339, dataset-clustering module 340, and/or honeypot module 340 may perform operations of process 800, consistent with disclosed embodiments. It should be noted that other components of system 100, including, for example, client device 112, may perform one or more steps of process 800.

Consistent with disclosed embodiments, steps of process 800 may be performed on one or more cloud services using one or more ephemeral container instances. For example, at any of the steps of process 800, API management system 104 may generate (spin up) an ephemeral container instance to execute a task, assign a task to an already-running ephemeral container instance (“warm container instance”), or terminate a container instance upon completion of a task. Steps of process 800 may be performed using a system for training translation models, such as system 500. As one of skill in the art will appreciate, steps of process 800 may be performed before, after, or alongside an API request and response process. For example, process 800 may be initiated after API management system 104 has become aware that a translation model has produced an output that does not correspond to an API version of a destination API node of the output. After becoming aware of this inaccurate translation, API management system 104 may perform process 800 to update a translation model so that accurate translation may take place, such that the output corresponds to the API version of the destination API node of the output. In other cases, process 800 may be performed following the release of a new API version, in order to keep a translation model functioning effectively.

At step 802, API management system 104 receives input, consistent with disclosed embodiments. The information may be received from, for example, client device 112 and/or via interface 106. The input may have been sent from, for example, a device external to API management system 104 in system 100, or from with API management system 104, such as from another module, which could be testing model module 337. The information may include an API call, API response, a translated input or an output from translation model 502 and/or an API dataset. In some embodiments, the model is a machine learning model. The dataset may include real (actual) data and/or synthetic data, consistent with disclosed embodiments. In some embodiments, the information includes instructions to generate a response to an API call and may include an API identifier, call arguments, or other parameters. In some embodiments, the information includes instructions to retrieve a model and/or a dataset from a data storage (e.g, data 231, model storage 108, and/or database 110).

At step 804, API management system 104 selects one or more node-testing models, consistent with disclosed embodiments. A node-testing model may correspond to an API, consistent with disclosed embodiments. The version of API may be associated with the call. For example, a first selected node-testing model may correspond to the first version of the API, and a second selected node-testing model may correspond to the second version of the API. These node-testing models may be, for example, node-testing model A 501 a and/or node-testing model B 501 b.

Selecting a node-testing model at step 804 may include retrieving a node-testing model from a data storage (e.g., data 331, database 105). In some embodiments, the selected node-testing models are retrieved based on instructions received at step 802. In some embodiments, step 804 includes generating and/or training a node testing model, consistent with disclosed embodiments.

At step 806, API management system 104 determines if the node-testing models generate model outputs that satisfy a test criterion, consistent with disclosed embodiments. This test criterion may include, for example, a percent match between a model output and an expected model output, or a percent match between a schema of the model output and an expected schema. Determining whether a model output satisfies a test criterion related to a schema may involve using a scheme validation framework, such as Marshmellow, a scheme validation framework that can be implemented using Python. The expected output may include a previous model output generated by API management system 104, and/or a range of desirable model outputs. For example, the expected output may include the model output from the node-testing model corresponding to a first version of an API (e.g., model output A, shown in FIG. 5). In some embodiments, the expected output may include system logs or analytic data. In some embodiments, the logs or analytic data may be unrelated to the input. For example, honeypot module 341 may generate synthetic data, and the logs may be unrelated to the input. In some embodiments, the test criterion includes a determination of whether a distribution of foreign keys and/or data values is within an expected range. For example, the test criterion may be based on a data profile or a statistic metric of API calls, consistent with disclosed embodiments. API management system 104 may also determine if the node-testing models generated model outputs that satisfy a test criterion based on whether an error message is received. In some embodiments, determining whether a model output satisfies a testing criterion may involve determining whether multiple model outputs satisfy a desired distribution related to expected model outputs.

At step 807 API management system 104 sends a notification, consistent with disclosed embodiments. In some embodiments, the notification may be sent via interface 106. In some embodiments, sending the notification includes sending the notification to client device 112. In some embodiments, sending the notification includes displaying the notification at a display of I/O devices 320. The notification may include a warning of changes at an API node, an indication that changes at an API node are breaking changes, an indication of changes detected, and/or possible recommended actions. Recommended actions may include, for example, changing an API version at a node, providing a manual translation, and/or conducting supervised training of a translation model. As shown, step 807 may follow at least one of step 806 and/or step 814 following a determination that a node-testing model output does not satisfy a test criterion.

At step 808, API management system 104 selects a translation model based on the input, consistent with disclosed embodiments. For example, the input may be an API call and the version of the API may be determined. Based on the information associated with the input, an appropriate translation model may be selected. In some embodiments, the translation model may be translation model 502. The translation model may be configured to translate an input, such as an API call, from a first version of an API to a second version of an API. For example, the first version of an API may be the version currently associated with the input, and the second API version may be a version associated with a destination API node. The translation model may be selected using a table that associates APIs and API versions with corresponding translation models, or using a versioning model that associates APIs and their versions with corresponding models. For example, if the input is an API call of a particular version in need of translation, a translation model for translating calls of that version may be selected for testing.

Selecting a translation model at step 808 may include retrieving a node-testing model from a data storage (e.g., data 331, database 105). In some embodiments, the selected translation model may be retrieved based on instructions received at step 802. In some embodiments, step 808 includes generating and/or training a translation model, consistent with disclosed embodiments. Training the translation model may include training the model using API call data associated with a first version of an API and API call data associated a second version of an API, consistent with disclosed embodiments. The API call data may be retrieved from a data storage (e.g., data 331, database 105).

At step 810, API management system 104 generates a translated input based on the received input, using the translation model, consistent with disclosed embodiments. In some embodiments, the translated input may be based on information received at step 802, which may include other inputs or outputs. These may include API calls, API datasets, or other data related to an API.

At step 812, API management system 104 generates one or more model outputs of the selected node-testing models, consistent with disclosed embodiments. In some embodiments, at least one model output may be generated by a node-testing model corresponding to a second version of an API based on the translated input (e.g., as illustrated in model output B of FIG. 5). In some embodiments, at least one model output may be generated by a node-testing model corresponding to a second version of an API based on the input (e.g., as illustrated in model output A of FIG. 5).

At step 814, API management system 104 determines if the model output generated at step 812 satisfies a test criterion, consistent with disclosed embodiments. This test criterion may include, for example, a percent match between a model output corresponding to a second version of an API generated at step 812 and an expected model output, or a percent match between a schema of the model output and an expected schema. In some embodiments, the test criterion includes a determination of whether a distribution of foreign keys and/or data values is within an expected range. For example, the test criterion may be based on a data profile or a statistic metric of API calls, consistent with disclosed embodiments. The expected model output may include a previous output generated by API management system 104, and/or a range of desirable outputs. For example, the expected model output may include the model output from the node-testing model corresponding to a first version of an API (e.g., model output A, shown in FIG. 5). In another example, API management system 104 may see if a key or value of the model output is within a desirable range. In some embodiments, the expected output may include system logs or analytic data. In some embodiments, the logs or analytic data may be unrelated to the input. API management system 104 may also determine if the output generated at step 812 meets a test criterion based on whether an error message is received. In some embodiments, API management system 104 may determine if the model output generated at step 812 meets a test criterion by analyzing how well the model output corresponds to a particular version of an API, which may be associated with an API node that will receive an API output based on the model output. For example, API management system 104 may determine whether the model output has a schema that accords with a particular version of an API, and/or whether the model output will cause an error at a destination node. API management system 104 may determine that no model training is needed if the model output accords with a particular version of an API, or if it does not accord with that version but will not cause an error at a destination node. In some embodiments, determining whether a model output satisfies a testing criterion may involve determining whether multiple model outputs satisfy a desired distribution related to expected model outputs.

At step 816, API management system 104 trains the translation model based on the model output generated at step 812, consistent with disclosed embodiments. In some embodiments, the training may occur if the model output generated at step 812 does not meet the training criterion. Testing may involve an iterative test whereby steps 802-814 are repeated successively, which may involve changing the inputs for some iterations. This iterative test may involve API management system 104 changing rules associated with a translation module 338 that implements the translation model. Repeating steps 802-814 may generate model inputs and/or model outputs that are used only for training purposes, which may be termed intermediate model inputs and intermediate model outputs. Steps 802-814 may be repeated until API management system 104 determines that the model output generated at step 812 satisfies a training criterion. In some embodiments, multiple tests may be run simultaneously. In some embodiments, training the translation model may include producing an updated translation model, which may operate using a translation module 338 that has new rules.

Training the translation model may also trigger API management system 104 to train or generate another translation model. For example, after updating a translation model that translates API calls from a first version to a second version, process 800 may be used to train a translation model that translates API calls from a second version to a first version. Training a translation model may also trigger API management system 104 to train another model, such as one implemented by model training module 336, translation module 338, or routing model module 339. These other models could include a node-testing model. For example, API management system 104 may update node-testing models that were used to train a translation model when the node-testing model produces an error, an unknown result, or a result that does not satisfy a training criterion during translation model training.

At step 818, API management system 104 may provide an updated translation model trained at step 816, consistent with the disclosed embodiments. This may include transmitting the pre-updated model and/or updated model to a module of API management system 104; storing the pre-updated model and/or updated model in a data storage (e.g., data 331, database 110, or other data storage); displaying a graphical representation of the model (e.g., via interface 106); and/or transmitting the pre-updated and/or updated model to another component of system 100 (e.g. API system 102 a, 102 b, 102 n and/or client device 112) and/or to a computing component outside system 100 (e.g., via interface 106). In some embodiments, any pre-updated instances of a model may be discarded after a model is updated.

At step 820, API management system 104 may provide a node-testing model output generated at step 812, consistent with the disclosed embodiments. This may include transmitting the node-testing model output to another translation model 502 and/or a module of API management system 104; storing the node-testing model output in a data storage (e.g., data 331, database 110, or other data storage); displaying a graphical representation of the node-testing model output (e.g., via interface 106); and/or transmitting the node-testing model output to another component of system 100 (e.g. API system 102 a, 102 b, 102 n and/or client device 112) and/or to a computing component outside system 100 (e.g., via interface 106). In some embodiments, any pre-updated instances of a model may be discarded after a model is updated.

FIG. 9 is a depicts exemplary process 900 for translating an input, consistent with disclosed embodiments. In some embodiments, API management system 104 performs process 900. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 700, consistent with disclosed embodiments. It should be noted that other components of system 100, including, for example, client device 112, may perform one or more steps of process 900.

Consistent with disclosed embodiments, steps of process 900 may be performed on one or more cloud services using one or more ephemeral container instances. For example, at any of the steps of process 900, API management system 104 may generate (spin up) an ephemeral container instance to execute a task, assign a task to an already-running ephemeral container instance (“warm container instance”), or terminate a container instance upon completion of a task. As one of skill in the art will appreciate, steps of process 900 may be performed as part of processing an API call.

At step 902, API management system 104 receives an API call, consistent with disclosed embodiments. This API call may be received from model-training module 336, testing model module 337, translation model module 338, routing model module 339, dataset-clustering module 340, honeypot module 341, or other components of system 100, including, for example, client device 112. API management system 104 may receive other input with the API call, such as an API dataset, API response, model output from another node-testing model, or other input data, such as metadata, identifiers, instructions, system logs, analytic data, or other additional data.

At step 904, API management system 104 determines the API version of the API call received at step 902, consistent with disclosed embodiments. This determination may be based on an API identifier contained in the API call. After determining the API version, API management system 104 may determine an appropriate model to use for translating the API call. The model may be selected using a table that associates APIs and API versions with corresponding models, or using a separate model that associates APIs and their versions with corresponding models, as in step 804.

At step 906, API management system 104 translates the API call. In some embodiments, translating the API call includes using a translation model as described in translation module 338. For example, if the API call is associated with a first version of an API and it has a destination node with a second version of an API, API management system 104 may translate the API call from the first version to the second version.

At step 908, API management system 104 transmits the translated API call, consistent with disclosed embodiments. Transmitting the translated API call may include transmitting the translated API call to an API node. In some embodiments, API management system 104 may transmit the translated API call to any of programs 335, to another part of API management system 104, or to another component of system 100. Transmitting the translated call may include storing the received and/or translated call in a data storage (e.g., database 110, data 331). In some embodiments, calls, responses, and other API inputs and outputs may be stored as part of a dataset, which may be stored in a data storage (e.g., database 110, data 331). Such datasets may be used to train models, for example, by using process 700.

At step 910, API management system 104 receives an API output from an API node, consistent with disclosed embodiments. The API output may have been generated based on the translated API. For example, the API output may include a result generated by an API in response to the translated API call transmitted by API management system 104.

At step 912, API management system 104 determines an API version associated with a destination API node, consistent with disclosed embodiments. The destination API node may be the next node to which the output will be transmitted, which may be the same API node from which the API call was received at step 902 (i.e., a source node). In some embodiments, API management system 104 may determine that the API version of the API output is not the same as the API version of the as a destination API node, and that this incompatibility may produce an error at an API node. The API version of the destination API node may be determined from information contained in the API call. In some embodiments, the API version of the destination API node may be the same as the API version of the API call determined at step 904.

At step 914, API management system 104 translates the API output, consistent with disclosed embodiments. For example, API management system 104 may translate an API output configured for one version of an API to an API output configured for a different version of an API. The different version may be one used by a node that may receive the API output.

At step 916, API management system 104 transmits the translated API output, consistent with disclosed embodiments. In some embodiments, the translated API output may be transmitted to the API node from which the API call was received at step 902. For example, the source API node may be part of a user device that sent the API call at step 902. In some embodiments, the translated API output may be transmitted to another API node. In some embodiments, the translated API output may be transmitted to another part of API management system 104, another component of system 100 (e.g., one of API systems 102 a, 102 b, 102 c), and/or or a computing component outside system 100 (e.g., via interface 106).

FIG. 10 depicts exemplary process 1000 for training and implementing a node-imitating model, consistent with disclosed embodiments. In some embodiments, API management system 104 performs process 1000. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341 may perform operations of process 1000, consistent with disclosed embodiments. Process 1000 may be performed based on user inputs or, in some embodiments, process 1000 is executed automatically by a program, script, or routine. For example, process 1000 may be performed according to a schedule or in response to a triggering event. It should be noted that other components of system 100, including, for example, client device 112 or one or more API systems (e.g., API system 102 a, 102 b, 102 c) may perform one or more steps of process 1000.

Consistent with disclosed embodiments, steps of process 1000 may be performed on one or more cloud services using one or more ephemeral container instances. For example, at any of the steps of process 1000, API management system 104 may generate (spin up) an ephemeral container instance to execute a task, assign a task to an already-running ephemeral container instance (warm container instance), or terminate a container instance upon completion of a task. As one of skill in the art will appreciate, steps of process 1000 may be performed as part of an application interface (API) call.

At step 1010, API node 102 receives calls (inputs) and produces API outputs based on the calls as previously described in relation to step 410, consistent with disclosed embodiments.

At step 1020, API management system 104 trains a node-imitating model 1022, consistent with disclosed embodiments. In some embodiments, API management system 104 may generate node-imitating model 1022 at step 1020. Generating and/or training node-imitating model 1022 may be based on data received or retrieved from model storage 108, including one or more models, model characteristics, and/or training criteria. Node-imitating model 1022 may be configured to retrieve and/or receive data from database 110, including one or more datasets. In some embodiments, training node-imitating model 1022 may include receiving a node-testing model (e.g., node-testing model 422) from a data storage (e.g., model storage 108) and training the node-testing model.

API management system 104 may train node-imitating model 1022 to generate model output based on the API output. In some embodiments, training node-imitating model 1022 to generate model output include training the model to generate synthetic data. The synthetic data may satisfy a similarity metric when compared to the API output. In some embodiments, model output of node-imitating model 1022 may include a data marker, consistent with disclosed embodiments.

API management system 104 may train node-imitating model 1022 to generate model output having a predetermined data profile. For example, the predetermined data profile may be based on one or more data markers (e.g., node-imitating model 1022 may generate data with two data markers having a predetermined covariance between data columns).

At step 1030, API management system 104 implements node-imitating model 1022. For example, API management system may route real-time API calls to node-imitating model 1022 to process API calls.

FIG. 11, depicts exemplary process 1100 for managing unauthorized API calls, consistent with disclosed embodiments. In some embodiments, API management system 104 may perform process 1100. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 1100, consistent with disclosed embodiments. It should be noted that other components of system 100 may perform one or more steps of process 1100, including, for example, API systems 102 a, 102 b, 102 n and/or client device 112. Process 1100 may be performed based on user inputs or, in some embodiments, process 1100 is executed automatically by a program, script, or routine. For example, process 1100 may be performed according to a schedule or in response to a triggering event. Process 1100 may be performed by an ephemeral container instance, consistent with disclosed embodiments.

At step 1102, API management system 104 receives a call, consistent with disclosed embodiments. Receiving the call may include receiving the call from a client device (e.g., client device 112) or a computing component outside system 100. Receiving a call may include receiving the call from an API node (e.g., one of API systems 102 a, 102 b, or 102 n, or a component of one of the API systems). For example, the call may be a call between nodes of different routing layers as depicted in exemplary interface 250 of FIG. 2B.

At step 1104, API management system 104 classifies the call, consistent with disclosed embodiments. Classifying the call may include using a call-classification model, as described above. In some embodiments, the call may be classified as one of authorized, suspicious, unauthorized, or another call class. Classifying the call may be based on a user account, a log, a failed authentication attempt, a packet sniffing event, a rate of pinging, an IP address, and/or a MAC address.

At step 1106, API management system 104 determines whether the call relates to a malicious campaign, consistent with disclosed embodiments. In some embodiments, determining that the call relates to a malicious campaign includes determining that call characteristics are similar to one or more suspicious calls and/or one or more unauthorized calls. In some embodiments, API management system 104 uses a call-classification model to determine a call relates to a malicious campaign.

At step 1108, API management system 104 sends the call to a node-imitating model, consistent with disclosed embodiments. In some embodiments, step 1108 includes generating or training a node-imitating model, consistent with disclosed embodiments. It should be noted that, before or after step 1108, API management system 104 may continue to route legitimate or authorized call to API nodes or may generate new API nodes (e.g., a secondary live system) to manage legitimate API calls.

At step 1110, API management system 104 receives model output of the node-imitating model, consistent with disclosed embodiments. As previously described in reference to honeypot module 341, model output of the node-imitating model may include synthetic data based on API output.

At step 1112, API management system 104 transmits model output and/or information based on the model output, consistent with disclosed embodiments. Transmitting at step 1112 may include transmitting to a location associated with the call. Transmitting at step 1112 may include transmitting the model output or information based on the model output to a second node-imitating model. For example, if the model output includes a call to a downstream API node, step 1112 may include repeating steps 1108 and 1110. Steps 1108 through 1112 may be repeated any number of times. Repeating steps 1108 through 1112 may include operations performed by routing module 339 (e.g., identifying downstream API nodes associated with an API call, using a routing table, and/or using a routing model).

At step 1114, API management system 104 identifies a location associated with the call, consistent with disclosed embodiments. The location may include an account, an IP address, a MAC address, a URL, or the like.

At step 1116, API management system 104 monitors activity, consistent with disclosed embodiments. Monitoring activity may include classifying future calls (e.g., using a call-classification model), routing calls associated with the location to a node-imitating model, and/or comparing new calls to the call received at step 1102. Step 1116 may include determining, based on the comparison, that a new call is relates to the call receive at step 1102.

At step 1118, API management system 104 generates a log, consistent with disclosed embodiments. In some embodiments, the log includes information associated with the received call (e.g., the location; a timestamp; a classification as authorized, unauthorized, or suspicious). In some embodiments, the log includes information associated with the monitoring of step 1116.

At step 1120, API management system 104 provides the log, consistent with disclosed embodiments. Providing the log may include displaying the log in an interface (e.g., interface 106). Providing the log may include transmitting the log to another component of system 100 (e.g., client device 112; enforcement system 114) and/or or a computing component outside system 100 (e.g., via interface 106).

At step 1122, API management system 104 blocks the location, consistent with disclosed embodiments. Blocking the location may include updating a blacklist.

FIG. 12 depicts exemplary process 1200 for training a node-imitating model, consistent with disclosed embodiments. In some embodiments, API management system 104 may perform process 1200. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 1200, consistent with disclosed embodiments. It should be noted that other components of system 100 may perform one or more steps of process 1200, including, for example, API systems 102 a, 102 b, 102 n and/or client device 112. Process 1200 may be performed based on user inputs or, in some embodiments, process 1200 is executed automatically by a program, script, or routine. For example, process 1200 may be performed according to a schedule or in response to a triggering event. Process 1200 may be performed by an ephemeral container instance, consistent with disclosed embodiments.

At step 1202, model-training module 336 receives API call data, consistent with disclosed embodiments. API call data may include API call data API calls, API outputs, and/or API identifiers. Step 1202 may include receiving model characteristics and/or training criteria, consistent with disclosed embodiments. For example, received model characteristics may include a model type, a model parameter, a model hyperparameter, a desired outcome, belongingness to a model cluster, and/or belonginess of a model training dataset to a dataset cluster, the similarity of synthetic data generated by a model to actual data, or other characteristics.

At step 1204, model-training module 336 generates a node-implementing model, consistent with disclosed embodiments. The node-implementing model may include a machine-learning model, consistent with disclosed embodiments. For example, the node-implementing model may include one of an RNN, an LSTM model, a seq2seq model, a CNN, a GAN, an autoencoder, or another neural network model. Generating the node-implementing model at step 1204 may include generating a plurality of model parameters (seeds) to use as starting points for model training. Generating the node-implementing model may include retrieving a node-testing model or a node-implementing model from a data storage (e.g., data 331 or model storage 110). Generating the node-implementing model may be based on model characteristics received at step 1202.

Generating the node-implementing model at step 1204 may be based on the API call data. For example, the API call data may include an API identifier, and generating the node-implementing model may include retrieving a node-implementing model previously trained to produce model output that matched API output of an API associated with the identifier.

At step 1206, model-training module 336 trains the node-implementing model, consistent with disclosed embodiments. Training the model at step 1206 may include training the node-implementing model until one or more training criteria are satisfied, consistent with disclosed embodiments. Training may be based on training criteria received at step 1202. In some embodiments, training includes training the node-implementing model to generate synthetic data. The synthetic data may satisfy a similarity metric when compared to the API output. In some embodiments, model output of the node-imitating model may include a data marker, consistent with disclosed embodiments

At step 1208, model-training module 336 provides the node-implementing model, consistent with disclosed embodiments. Providing the model may include transmitting the model to a module of API management system 104; storing the model in a data storage (e.g., data 331, database 110, or other data storage); displaying a graphical representation of the model (e.g., via interface 106); and/or transmitting the model to another component of system 100 (e.g. API system 102 a, 102 b, 102 n and/or client device 112) and/or to a computing component outside system 100 (e.g., via interface 106).

FIG. 13 depicts exemplary process 1300 for identifying suspicious data, consistent with disclosed embodiments. In some embodiments, API management system 104 may perform process 1300. One or more of model-training module 336, node-testing module 337, translation module 338, routing module 339, dataset-clustering module 340, and/or honeypot module 341, may perform operations of process 1300, consistent with disclosed embodiments. It should be noted that other components of system 100 may perform one or more steps of process 1300, including, for example, API systems 102 a, 102 b, 102 n and/or client device 132. Process 1300 may be performed based on user inputs or, in some embodiments, process 1300 is executed automatically by a program, script, or routine. For example, process 1300 may be performed according to a schedule or in response to a triggering event. Process 1300 may be performed by an ephemeral container instance, consistent with disclosed embodiments.

At step 1302, API management system 104 searches a remote computing resource, consistent with disclosed embodiments. Searching the remote computer resource may include searching a network (e.g., a virtual private network, the internet, or any other network). Searching the remote computing resource may include searching a database. Searching the remote computing resource may include searching enforcement system 114. Searching the remote computing resource at step 1302 may include searching for a data marker. Searching the remote computing resource at step 1302 may include searching for a dataset.

At step 1304 API management system 104 receives suspicious data, consistent with disclosed embodiments. The suspicious data may include a dataset. In some embodiments, the suspicious data may be received in a request from a client device 112 or enforcement system 114. In some embodiments, the suspicious data may be received in response to the searching (e.g., as a download, a search result, or a file transmission).

At step 1306, API management system 104 retrieves model output from one or more node-imitating models, consistent with disclosed embodiments. Retrieving model output may include retrieving a data marker and/or a data profile.

At step 1308, API management system 104 determines a suspiciousness score of the data, consistent with disclosed embodiments. In some embodiments, the suspiciousness score is a likelihood that the data derives from API calls to an API node (e.g. API systems 102 a, 102 b, 102 n or their components) and/or API management system 104. In some embodiments, the suspiciousness score is based on detecting a data marker in the suspicious data. For example, the suspiciousness score may be based on a frequency of the data marker in a dataset. The data marker may be a data marker retrieved at step 1306.

In some embodiments, the suspiciousness score is based on a data profile of the suspicious data. For example, step 1308 may include determining a similarity metric of a data profile of a dataset of the suspicious data and a data profile of a stored dataset (or a stored data profile). The suspiciousness score may be based on the similarity metric (e.g., if the similarity metric indicates high similarity, the suspiciousness score may be high). The data profile of a dataset of the suspicious data may be received (e.g. at step 1304) or determined by API management system 104 (as described above). The stored dataset and/or stored data profile may be stored, for example, in one of data 331 or database 110. The stored dataset and/or stored data profile may be retrieved at step 1306.

At step 1310, API management system 104 identifies a location associated with the suspicious data, consistent with disclosed embodiments. The location may be received at step 1304. The location may be identified based on a call tracing.

At step 1312, API management system 104 provides the suspiciousness score or location, consistent with disclosed embodiments. Providing the suspiciousness score may include displaying the suspiciousness score in an interface (e.g., interface 106). Providing the suspiciousness score may include transmitting the suspiciousness score to another component of system 100 (e.g., client device 112; enforcement system 114) and/or or a computing component outside system 100 (e.g., via interface 106).

Systems and methods disclosed herein involve unconventional improvements over conventional approaches to managing APIs. Descriptions of the disclosed embodiments are not exhaustive and are not limited to the precise forms or embodiments disclosed. Modifications and adaptations of the embodiments will be apparent from consideration of the specification and practice of the disclosed embodiments. Additionally, the disclosed embodiments are not limited to the examples discussed herein. It should be noted that client device 112 and/or one or more of API system 102 a, 102 b, 102 n may perform any of the features or steps described above in regard to API management system 104 in reference to the various embodiments and processes.

The foregoing description has been presented for purposes of illustration. It is not exhaustive and is not limited to the precise forms or embodiments disclosed. Modifications and adaptations of the embodiments will be apparent from consideration of the specification and practice of the disclosed embodiments. For example, the described implementations include hardware and software, but systems and methods consistent with the present disclosure can be implemented as hardware alone.

Computer programs based on the written description and methods of this specification are within the skill of a software developer. The various functions, scripts, programs, or modules can be created using a variety of programming techniques. For example, programs, scripts, functions, program sections or program modules can be designed in or by means of languages, including JAVASCRIPT, C, C++, JAVA, PHP, PYTHON, RUBY, PERL, BASH, or other programming or scripting languages. One or more of such software sections or modules can be integrated into a computer system, non-transitory computer-readable media, or existing communications software. The programs, modules, or code can also be implemented or replicated as firmware or circuit logic.

Moreover, while illustrative embodiments have been described herein, the scope includes any and all embodiments having equivalent elements, modifications, omissions, combinations (e.g., of aspects across various embodiments), adaptations or alterations based on the present disclosure. The elements in the claims are to be interpreted broadly based on the language employed in the claims and not limited to examples described in the present specification or during the prosecution of the application, which examples are to be construed as non-exclusive. Further, the steps of the disclosed methods can be modified in any manner, including by reordering steps or inserting or deleting steps. It is intended, therefore, that the specification and examples be considered as exemplary only, with a true scope and spirit being indicated by the following claims and their full scope of equivalents. 

What is claimed is:
 1. A system comprising: one or more memory units storing instructions; and one or more processors that execute the instructions to perform operations comprising: receiving a call from a client device; classifying the call as unauthorized based on call data associated with the call; obtaining, from a routing model, routing data for the call based on the call data associated with the call; and sending, based on the classifying and the routing data, the call to a node-imitating model of a plurality of node-imitating models such that (i) the call is sent to a first node-imitating model in response to the call data being first call data and (ii) the call is sent to a second node-imitating model in response to the call data being second call data different from the first call data, wherein the first and second node-imitating models have different configurations for processing the call.
 2. The system of claim 1, wherein the operations further comprise: providing training call data to the routing model to train the routing model to route calls to one or more of the plurality of node-imitating models.
 3. The system of claim 2, wherein the operations further comprise: receiving, from the first node-imitating model, synthetic node output data based on the call; providing the synthetic node output data to the client device; receiving a second call and classifying the second call as unauthorized based on second call data associated with the second call; and sending the second call to the second node-imitating model based on the classifying of the second call, the second call data, and the trained routing model.
 4. The system of claim 3, wherein the operations further comprise: sending a notification to the client device based on the synthetic node output data, the notification comprising a data marker; searching a remote computing resource for the data marker; receiving search results from the remote computing resource; identifying a location of the data marker based on the search results; and storing the location.
 5. The system of claim 4, wherein the location comprises at least one of an IP address, a MAC address, or a uniform resource locator (URL).
 6. The system of claim 1, wherein the operations further comprise: providing (i) a first set of training data related to a first set of prior calls to the first node-imitating model and (ii) a second set of training data related to a second set of prior calls to the second node-imitating model to train the first and second node-imitating models, wherein the first and second node-imitating models have the different configurations as a result of the training of the first and second node-imitating models.
 7. The system of claim 1, wherein: the first node-imitating model comprises a machine-learning model; and the operations further comprise: receiving call data based on a plurality of calls; receiving synthetic node output data based on the plurality of calls; and training the first node-imitating model using the call data and the synthetic node output data.
 8. The system of claim 7, wherein: the synthetic node output data is first synthetic node output data; and training the first node-imitating model comprises iteratively training by: generating, based on the call data, second synthetic node output data using the first node-imitating model; determining a first similarity metric value between the second synthetic node output data and the synthetic node output data; and performing, based on the first similarity metric value, one of: updating a parameter of the first node-imitating model; or terminating training of the first node-imitating model.
 9. The system of claim 1, wherein classifying the first call as unauthorized comprises classifying the first call as unauthorized based on at least one of a log, a failed authentication attempt, a packet-sniffing event, a rate of pinging, an account, an Internet Protocol (IP) address, or a media access control (MAC) address.
 10. The system of claim 1, the operations further comprising: identifying a location associated with the client device, the location comprising at least one of an IP address or a MAC address; and blocking the location from accessing an API node associated with any of the plurality of node-imitating models.
 11. A method, comprising: receiving a call from a client device; classifying the call as unauthorized based on call data associated with the call; obtaining, from a routing model, routing data for the call based on the call data associated with the call; and sending, based on the classifying and the routing data, the call to a node-imitating model of a plurality of node-imitating models such that (i) the call is sent to a first node-imitating model in response to the call data being first call data and (ii) the call is sent to a second node-imitating model in response to the call data being second call data different from the first call data.
 12. The method of claim 11, further comprising: providing training call data to the routing model to train the routing model to route calls to one or more of the plurality of node-imitating models.
 13. The method of claim 12, further comprising: receiving, from the first node-imitating model, synthetic node output data based on the call; providing the synthetic node output data to the client device; receiving a second call and classifying the second call as unauthorized based on second call data associated with the second call; and sending the second call to the second node-imitating model based on the classifying of the second call, the second call data, and the trained routing model.
 14. The method of claim 13, further comprising: sending a notification to the client device based on the synthetic node output data, the notification comprising a data marker; searching a remote computing resource for the data marker; receiving search results from the remote computing resource; identifying a location of the data marker based on the search results; and storing the location.
 15. The method of claim 11, further comprising: providing (i) a first set of training data related to a first set of prior calls to the first node-imitating model and (ii) a second set of training data related to a second set of prior calls to the second node-imitating model to train the first and second node-imitating models, wherein the first and second node-imitating models have different configurations as a result of the training of the first and second node-imitating models.
 16. The method of claim 11, wherein: the first node-imitating model comprises a machine-learning model; and the method further comprises: receiving call data based on a plurality of calls; receiving synthetic node output data based on the plurality of calls; and training the first node-imitating model using the call data and the synthetic node output data.
 17. The method of claim 16, wherein: the synthetic node output data is first synthetic node output data; and training the first node-imitating model comprises iteratively training by: generating, based on the call data, second synthetic node output data using the first node-imitating model; determining a first similarity metric value between the second synthetic node output data and the synthetic node output data; and performing, based on the first similarity metric value, one of: updating a parameter of the first node-imitating model; or terminating training of the first node-imitating model.
 18. The method of claim 11, wherein classifying the first call as unauthorized comprises classifying the first call as unauthorized based on at least one of a log, a failed authentication attempt, a packet-sniffing event, a rate of pinging, an account, an Internet Protocol (IP) address, or a media access control (MAC) address; and wherein the method further comprises: identifying a location associated with the client device, the location comprising at least one of the IP address or the MAC address; and blocking the location from accessing an API node associated with any of the plurality of node-imitating models.
 19. A non-transitory computer readable medium comprising instructions that, when executed by one or more processors, perform operations comprising: receiving a call from a client device; classifying the call as unauthorized based on call data associated with the call; obtaining, from a routing model, routing data for the call based on the call data associated with the call; and sending, based on the classifying and the routing data, the call to a node-imitating model of a plurality of node-imitating models such that (i) the call is sent to a first node-imitating model in response to the call data being first call data and (ii) the call is sent to a second node-imitating model in response to the call data being second call data different from the first call data.
 20. The medium of claim 19, the operations further comprising: providing (i) a first set of training data related to a first set of prior calls to the first node-imitating model and (ii) a second set of training data related to a second set of prior calls to the second node-imitating model to train the first and second node-imitating models, wherein the first and second node-imitating models have different configurations as a result of the training of the first and second node-imitating models; wherein: the first node-imitating model comprises a machine-learning model; and the operations further comprise: receiving call data based on a plurality of calls; receiving synthetic node output data based on the plurality of calls; and training the first node-imitating model using the call data and the synthetic node output data. 